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Executive Summary 


Background 

Under the Data Protection Act 1998, every data controller who is 
processing personal information is required to register with the ICO. 
Payments of either £500 or £35 annually are required as a registration fee, 
based on staff levels and turnover, yielding a combined income to the ICO 
of approximately £16 million per year. 


In May 2013, the ICO went live with its new ICE (ICO Customer 
Engagement) system. In conjunction with this, online payment of 
registration fees by debit or credit card was introduced. These currently 
account for around 25% of monthly fee income, with cheque and BACS 
payments reducing accordingly. 


A project team, led by Operations Service Delivery, have established the 
process for the transfer of information into ICE from Barclaycard online, 
the host website for credit and debit card payments. It is this project team 
who, following requests from the relevant departments, are managing the 
ongoing implementation progresses. 


Scope 
Our review involved an assessment of the following risks: 


Finance may not have clearly documented and communicated the controls 
over the file transfer from Barclays to ICE and journal entries into the 
finance system, or such controls may not be efficient or applied as 
intended, which may impact the integrity of credit/debit card payment 
data; 

Controls over staff access to ICE and the ability to amend customer 
payment information may not be sufficient, resulting in the risk that 
inappropriate changes could be made to payment information; 
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Systems may not enable management to identify where an organisation has 
paid the wrong amount by credit/debit card, resulting in the wrong 
amounts being collected; and 

Processes and authorisation required to refund payments made by credit or 
debit card may not be clearly documented or may not be applied, 
resulting in inappropriate refunds being paid. 


Further details on responsibilities, approach and scope are included in 


Appendix A. 


Overall assessment 
We have made an overall assessment of our findings as: 


Overall assessment 


We have identified matters which, if resolved, will help management fulfil 
their responsibility to maintain a robust system of internal control. 


Please refer to appendix B for further information regarding our overall 
assessment and audit finding ratings. 


Key findings 


Risk / Process 


File transfer from Barclays to 
ICE 


Staff access to ICE - z z - 


Identifying incorrect payments 1 1 
and management reporting 


Credit and debit card refunds - - : = 


Total - 1 1 - 
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The following finding was rated as medium priority: 


Certain Management Information and data from the ICE system is 
insufficient for the purposes of financial reporting and to meet the 
needs of the Finance and Notifications teams. Further, the lack of 
functionality within ICE has resulted in significant inefficiencies and 
delays when attempting to reconcile variances between expected 
payment amounts and the figures actually recorded in ICE. 


Further details of our findings and recommendations are provided in 
Section 2. 


Basis of preparation 
Whilst we report by exception, we draw attention to the following matters 
in addition to the issues raised within the findings section of this report. 


There is a clearly documented process for completing the daily file transfer 
from Barclaycard and reconciling the amount taken from Barclaycard 
and uploaded into ICE, and the figure subsequently received by the 
bank. 

The Finance team operate a daily reconciliation process, to ensure that the 
total daily payment per Barclaycard reconciles to the amount 
transferred into ICE and the amount received to the bank account. 

The daily file transfer from Barclaycard to ICE updates each individual 
data controller record for which payment has been made. 

Due to the use of Barclaycard online as a host website, no credit or debit 
card payment details can be manually changed by any member of ICO 
staff. 

Access to amend the payment file prior to upload is restricted to the 
Finance Officers who download it, and the ability to amend a payment 
amount once recorded in ICE 1s restricted to the project team system 
administrators. Any such changes would be highlighted through the 
reconciliation process, and as noted in seven such instances during our 
testing, all were supported by explanatory notes and an audit trail in 
ICE. 
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All tier changes (i.e. from £35 to £500 payments and vice versa) and 
refunds processed by the Notifications team are automatically put into 
a management queue for approval within ICE, giving review over the 
accuracy of the payment. 

Once approved, credit and debit card refunds are paid directly back to the 
relevant card on a weekly basis using Barclaycard online, and signed as 
complete by two members of Finance staff. For a sample of 10 refund 
batches, we confirmed that all had been signed accordingly. For 10 
individual refunds selected from these, we confitmed that the refund 
had been approved in ICE and subsequently refunded back to 
cardholder using Barclaycard online. 


Acknowledgement 
We would like to take this opportunity to thank the staff involved for their 
co-operation during this internal audit. 
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Detailed Findings 
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Systems may not enable management to identify where an organisation has paid the wrong amount by credit/debit card, 


resulting in the wrong amounts being collected 


d. | Medium | Reporting capabilities of ICE 


Finding and Implication 


Proposed action 


Agreed action (Date / Ownership) 


Currently, ICE is unable to collate information and analyse 
data to the extent required by both Finance and Notifications 
in respect of credit and debit card payments. No information 
from ICE is used by the Head of Finance to inform 
operations and support financial reporting. Further, only high 
level figures are able to be extracted by the Notifications 
Manager with no detail of individual additions, removals and 
renewals to the register being available for review or 
investigation. 


In addition, the process of reconciling debit and credit card 
payments can be inefficient. Where variances are 
highlighted, identifying the specific payment can take 
significant amounts of time if the variance occurs in ICE, due 
to the fact information cannot be extracted into Excel and 
compared to the upload file or the list of payments received. 


We discussed these issues with management and found that 
they have been communicated to the ICE project team, 
however due to the level of updates and amendments 
required, these are yet to be dealt with. 


Whilst our review is able to provide assurance that the 
manual reconciliation processes are operating effectively, 
the lack of data analysis and management information from 
ICE gives rise to inefficiencies and time consuming 
processes, as well as poor management information and a 
failure to maximise the impact of the investment in ICE. 


All ICE functionality issues should be logged 
with the ICE project team and resolution dates 
agreed and tracked to the satisfaction of the 
Finance and Notifications teams. 


Agreed action The priority for the existing project 
team resources is to resolve the current ICE 
performance issues and to implement the web- 
front end by the end of the financial year. 

We have prioritised a number of functionality 
improvements and system enhancements which 
we are working to implement by the end of the 
financial year. 


All functionality issues have been captured 
through the use of a dedicated email account 
and logged on the project backlog. An MI 
reporting workstream has been identified and 
scoped. 


It is intended that some progress will have been 
made by 1 April 2014 however with the current 
staff resources and priorities it is not practical to 
commit to a specific output timeline yet. 


Date Effective: Review 1 April 2014 


Owner: Paul Lee/David Wells 
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Appendices 


Sample checks of payment amounts 
| 


Finding and Implication 


Proposed action 


Agreed action (Date / Ownership) 


Prior to going live with ICE in May 2013, data controller tier 
assessments were submitted in paper form allowing for a brief 
review on processing by Notifications, to identify any 
registrations which appeared to be for the incorrect amount. 


Further, sample checks of 20 to 30 registrations per month 
were undertaken to agree the tier registration paid as being 
appropriate for that data controller. This helped to confirm that 
data controllers annually renewing at £35 had not fulfilled the 
criteria to pay £500, and vice versa. 


Since the system moved online, there can be no such high 
level check of paper registrations. Further, monthly sample 
checks have ceased, due to the volume of work involved in the 
system transfer and the associated level of outstanding issues 
the Notifications team have had to resolve as a result of this. 


The intention for this year is for the NAO (National Audit 
Office) to complete a sample check as part of their Regularity 
Audit. 30 will be tested in January 2014, with a final 40 tested 
in April. 


The intention is to extend the sample size and undertake 
further testing should any errors be identified. 


The ICO intend to undertake sample checks 
as part of the NAO Regularity Audit. 


Given the potential impact on revenues to the 
ICO, the level of coverage of this control 
should be approved as suitable by the 
Executive. 


Agreed action 

In response to the workload pressures on 
Notification following the go-live of ICE, the 
routine regularity testing by the notification team 
ceased. 


We have discussed the testing of fee income 
regularity with the NAO, and our intended 
approach is to incorporate our testing alongside 
the NAO sampling. 


This will be done for the first time as part of the 
Interim Audit testing at the end of January 2014, 
and those results will inform the future approach 
to ensure the ICO is achieving assurance. 


We hope that a smaller sample will be required 
in future, given that the larger sampling that has 
been taking place since the tiered fees were 
introduced in October 2009 has not suggested 
any regularity issues. 


Once the final approach has been determined, 
approval from the Executive Team will be sought 
formally. 


Date Effective: Formal approval by 31 March 
2014 


Owner: Paul Arnold/Traci Shirley 
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Internal audit approach 


Approach 

Our role as internal auditor to a Public Body is to provide an independent 
and objective opinion to the Accounting Officer on risk management, 
control and governance processes, by measuring and evaluating their 
effectiveness in achieving the organisation's agreed strategic objectives. 


Our audit was carried out in accordance with the guidance contained 
within the Government’s Internal Audit Standards (2013) and the Auditing 
Practices Board’s ‘Guidance for Internal Auditors’. We also had regard to 
the Institute of Internal Auditors’ guidance on risk based internal auditing 
(2005). In addition, we comply in all material respects with other 
Government guidance applicable to Public Bodies and have had regard to 
the HM Treasury guidelines on effective risk management (the ‘Orange 
Book’). 


As part of our 2013-14 Audit Plan, we agreed with the Audit Committee 
and management that we should carry out a review of the ICO's 
arrangements for managing credit and debit card payments in ICE, to 
further inform our ongoing understanding of the ICO’s key internal 
control activities. 


Our aim in completing this audit was to ensure that the ICO has 
appropriate arrangements in place to identify, manage and report on risk. 


We achieved our audit objectives by: 
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Walking through the debit and credit card payments process to gin an 
understanding of the arrangements in place; 

Reviewing key process documents that support the arrangements in place; 
Testing a sample of specific processes, including payment reconciliations, 
refunds and other exceptions identified from credit and debit card 

payments; and 
Reviewing the level of management information available on credit and 
debit card payments. 


The findings and conclusions from this review will support our annual 
opinion to the Audit Committee on the adequacy and effectiveness of 
internal control arrangements. 


Responsibilities 

The Information Commissioner acts through his Board of Management 
and the Information Commissioner's Office ("ICO") discharges his 
obligations. Therefore references to the Information Commissioner and 
the ICO in this report relate to one and the same party. 


It is the responsibility of the Information Commissioner to ensure that the 
ICO has adequate and effective risk management, control and governance 
processes. 


HM Treasury's Corporate Governance in Central Government 
Departments (2011) states that boards of Public Bodies should determine 
the nature and extent of the significant risks it is willing to take in 
achieving its strategic objectives. The Board should therefore maintain 


Information Commissioner's Office | Internal Audit | Financial Management: Debit and credit cat 5- 


sound risk management and internal control systems and should establish 
formal and transparent arrangements for considering how they should 
apply the corporate reporting and risk management and internal control 
principles and for maintaining an appropriate relationship with the 
organisation's auditors. 


Please refer to our letter of engagement for full details of responsibilities 
and other terms and conditions. 


Scope 
Our review involved an assessment of the following risks: 


Finance may not have clearly documented and communicated the controls 
over the file transfer from Barclays to ICE and journal entries into the 
finance system, or such controls may not be efficient or applied as 
intended, which may impact the integrity of credit/debit card payment 
data; 

Controls over staff access to ICE and the ability to amend customer 
payment information may not be sufficient, resulting in the risk that 
inappropriate changes could be made to payment information; 

Systems may not enable management to identify where an organisation has 
paid the wrong amount by credit/debit card, resulting in the wrong 
amounts being collected; and 

Processes and authorisation required to refund payments made by credit or 
debit card may not be clearly documented or may not be applied, 
resulting in inappropriate refunds being paid. 


Additional information 
Client staff 
The following staff were consulted as part of this review: 


Head of Finance 
Finance Officers 
Notifications Manager 
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Documents received 
The following documents were received during the course of this audit: 


Credit and debit card procedures and Finance Manual extracts 

Monthly finance reports and Executive Team minutes 

Monthly finance reconciliation of finance system to bank account 

Monthly bank reconciliations 

Walkthroughs and testing of the daily credit and debit card payments were 
completed on site, with a sample taken as evidence and stored on the 
Finance shared drive for data protection reasons 


Locations 
The following locations were visited during the course of this review: 


The Information Commissioner's Office, Wilmslow 
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Overall assessment and audit issues ratings 


Overall assessment 


Rating Description 


Following agreement of the nature and significance of individual issues with management, in our view this report contains matters which should be 
raised with Senior Management and the Audit Committee at the earliest opportunity. 


Following agreement of the nature and significance of individual issues with management, in our view this report contains matters which require the 
attention of management to resolve and report on progress in line with current follow up processes. 


We have identified matters which, if resolved, will help management fulfil their responsibility to maintain a robust system of internal control. 


Audit issue rating 
Within each report, every audit issue is given a rating. This is summarised in the table below. 


Rating Description Features 
a: sae : K | i i ffectivel 
Findings that are fundamental to the management of risk in the business : a enor gperating:eifecively 
area, representing a weakness in control that requires the immediate e Non compliance with key procedures / standards 
i f 
attention of management e Non compliance with regulation 
e Impact is contained within the department and compensating 
controls would detect errors 
at 3 e Possibility for fraud exists 
Important findings that are to be resolved by line management. e Control ies identified but not in key controls 
e — Non compliance with procedures / standards (but not resulting in key 
control failure) 
Findings that identify non-compliance with established procedures. i o a cal procedures / standards 
Items requiring no action but which may be of interest to management or : E EA E E e aan dance with bèst 
best practice advice practice P 9 y 
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